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Abstract 

We apply the pigeonhole principle to show that there must exist Boolean func¬ 
tions on 7 inputs with a multiplicative complexity of at least 7, i.e., that cannot 
be computed with only 6 multiplications in the Galois field with two elements. 
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1. Introduction 

The multiplicative complexity of a Boolean function is the minimal number 
of multiplications over the Galois field GF{2) needed to implement it. As a 
measure of a function’s non-linearity, it is an important property with many 
applications, e.g., in the analysis of cryptographic ciphers and hash functions [1], 
or in the study of the communication complexity of multiparty computation [5] . 

On a circuit level, multiplications over GF{2) correspond to AND gates, 
while additions correspond to XOR gates and the unit to the constant T (TRUE). 
Thus, an equivalent characterization of the multiplicative complexity of a Boolean 
function is to consider the minimal number of AND gates needed to implement 
the function in the presence of an arbitrary number of XOR gates. It is this 
second characterization which will be used throughout this paper. 

Given a number of inputs n, the maximal multiplicative complexity of an 
n-ary Boolean function is denoted by M(n). In other words, M(n) measures 
how much intrinsic non-linearity is possible given a fixed number of arguments. 
Determining lower bounds for M(n) is an interesting question that has been 
widely addressed e.g. in [T1I3I1]. In this article, we apply a pigeonhole argument 
to prove that M(7) > 7, raising the previous best known lower bound by 1. 

The structure of this paper is as follows. We present the necessary back¬ 
ground in Section and define an abstract notion of topology of a circuit in 
Section In Section we introduce a symmetry break to reduce the upper 
bound on the number of Boolean functions of n inputs computable by circuits 
with k AND gates. In Sectionj^ we study the different ways in which we can in¬ 
terconnect those AND gates, showing that we can drastically reduce the number 
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of relevant circuits by a generate-and-prune algorithm inspired by [S] . Combin¬ 
ing these two results, we apply a pigeonhole counting argument in Section to 
obtain our new lower bound. We conclude with an outlook on future work in 
Section 0 

2. Background 

A Boolean function on n inputs, or an n-ary Boolean function, is a function 
from {0,1}" —>■ {0,1}. The set of all Boolean functions on n inputs is denoted 
Bn , and | \ = 2^". We will often write _L for 0 and T for 1. 

It is well known that every Boolean function can be implemented by means 
of a circuit consisting of only AND (A), XOR (0) and NOT (^) gates. Fur¬ 
thermore, since —•x = x 0 T, the NOT gates can be removed if we allow the 
use of the constant T. As observed in [3], we can assume AND gates to be 
binary and XOR gates to have an unbounded number of inputs. Such circuits 
are called XOR-AND circuits therein; in this paper, we will refer to them simply 
as circuits. Due to the associativity of XOR, any circuit with k AND gates can 
therefore be specified using exactly 2A: 0 1 XOR gates: 2k of them producing 
the inputs for the AND gates, and an additional one to produce the output. 

Definition 1. For each natural number n, let = {xi | 1 < f < u} denote 
the n inputs to a circuit, and U {T}. A circuit with n inputs and k 

AND gates is a pair C = {A, O), where: 

• A = {ai \ 1 < i < k) is a list of k AND gates, where the i-th gate 
Qi = {Li, Ri) with Li, Ri C {aj | 1 < i < i} U 

• O C A U is the output (XOR) gate. 

Intuitively, each element of A represents an AND gate, whose inputs are the 
outputs of two XOR gates whose inputs are given by Li and Ri, which we will 
informally write as (0 Li) A (0 Ri). O represents the final XOR gate, and the 
function fc computed by C returns the output from this gate. 

Example 1. Consider the circuit depicted in Figure [7| which computes the 
majority function on 4 bits (returning T if at least three of the bits are T ). In 
our notation, this circuit is represented as C = {A, O), where: 

^=(01,02,03,04) Oi = ({Xi}, {X2}) 03 = ({Xi,X 2 },{ 02 }) 

0 = {03,04} 02 = ({X3}, {X4}) 04 = ({oij, {X3,X4,02}) 

Lemma 1 (Lemma 15 from |3]). At most functions from Bn 

can be computed by circuits with k AND gates. 

Proof m- For the f-th gate, there are possible sets Li and Rp. each 

may use the n inputs, T, and the i—1 previous AND gates. For the output, there 
are 2”+^+^ possibilities. Thus, there are at most 2"+^+*^ x n^=i = 

2 „+i+fe+fc(fc+ 2 n-n) ^ ,^kA 2 k+ 2 ku+u+i potentially computable functions. □ 
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Figure 1 : A circuit computing the majority function on 4 bits. The labels on the AND gates 
are as in Example]^ Here, fc(^) = © ^2) A (0:3 A0:4)) © ((a:i A2:2) A (X3 ©X4 © (X3 A2:4)). 

For n = 7 and fc = 6 , Lemma [^yields an upper bound of 2^^*^ functions from 
B 7 computable with 6 AND gates, i.e., 6 AND gates are potentially enough to 
compute all 2^ Boolean functions with 7 inputs. 

Table [^represents some known values and lower bounds for M{n). The fully- 
determined values of M(n) for up to 4 inputs are folklore, and easily shown to be 
correct, while 5 was shown in [3] using an exhaustive computer-based exploration 
of all 48 equivalence classes of B^. The latter approach does not directly scale 
to 6 inputs, as the number of equivalences classes of Bq explodes to 150,357. 

The lower bound for 6 inputs is based on the observation that trivially 
M{n) > n — 1. As the above table shows, this bound is tight for the determined 
values of n < 5. The counting argument from [3] gives a non-trivial lower bound 
for n > 8 , leaving the open questions of whether the lower bounds for 6 and 7 
inputs are tight. We prove that this is not the case for 7 inputs. 

3. Topology of a circuit 

Our results capitalize on one abstraction: the notion of topology of a circuit, 
which intuitively forgets all connections except those between the AND gates, 
distinguishing only the different ways in which they use each others’ outputs. 

Definition 2. A (circuit) topology is a set A of AND gates, as in Definition^ 
except that L U i? C A for all {L, R) © A. Given an AND-XOR circuit C = 
{A,0), the topology of C is {{LGA,RGA) \ {L,R) ©A). 

Informally, a topology abstracts from the linear part of the circuit, consid¬ 
ering only the connections between the AND gates; different circuits with the 
same topology can compute different Boolean functions. 

Example 2. The topology of the circuit C in Figure^is { 01 , 02 , 03 , 04 }, with 
01 = 02 = ( 0 , 0 ), 03 = ( 0 ,( 02 }) and 04 = ({ai},{o 2 }). 

Definition 3. Let T he a topology. A function f © Bn is computable by T if 
f is computed by some circuit C whose topology is T. 


n 

1 

2 

3 

4 

5 

6 

7 

8 

M{n) 

0 

1 

2 

3 

4 

> 5 

> 6 

> 9 


Table 1 : Known determined values and lower bounds of M{n) for up to 8 inputs. 
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The notion of topology allows us to give a different proof of Lemma Since 
each AND gate consists of two subsets of the previous gates, the total number 
of different topologies on k gates is 

k 

. ( 1 ) 

i=l 

On the other hand, each input to each gate in a topology abstracts from 2”+^ 
concrete circuits (those containing the AND gates specified in the topology, plus 
any combination of circuit inputs and possibly T), so there are 

(2«+i)2fc ^ 2^+"+! (2) 

circuits with any given topology, where the second term in this product counts 
the number of possibilities for the output gate. Combining both estimates, 
we obtain a total of 2'='"'= x (2”+i)^'' x 2'=+"'+i = = 

2k +2k+2kn+n+i (jiffe]-0nt cii'cuits. In the next sections, we will optimize the 
bounds in Equations 0 and 0 separately. 


4. Breaking symmetry on negations 

In this section, we note that there are different circuits with the same number 
of AND gates that compute the same n-ary Boolean functions, and that we can 
provide a syntactic characterization for many of these, thus improving the bound 
of Equation 0. 

Definition 4. Let C = {A, O) be a circuit. We say that C is negation-normal 
if there is no gate (L, R) € A such that T G L H R. 

Lemma 2. Every n-ary Boolean function computable by a circuit with k AND 
gates can be computed by a negation-normal circuit with k AND gates. 

Proof. By using the equivalence (A0T)A {Y 0T) = (XAF) 0A0y 0T 
we can rewrite any circuit so that no AND gate has T added to both its inputs. 
Observe that both sides of the equation use only one AND gate. □ 

Theorem 1. The number of negation-normal circuits on n inputs with a given 
topology on k AND gates is at most (3 x 2^")^ x 2"+^+^. 

Proof. The argument is similar to the one establishing Equation ([^ . Each AND 
gate in the topology corresponds to 3 x 2” x 2” possibilities: each input can 
receive any subset of circuit inputs (the two 2" factors), and either one may also 
receive T, but not both. The possibilities for the output gate are unchanged. □ 

Combining this result with Equation Q, we obtain the following result. 

Corollary 1. At most 3* x 2^ -k2kn-\-n-\-i jy^j^ctions from Bn can be computed 
by circuits with k AND gates. 
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On its own, this (small) improvement does not produce any new lower 
bounds for M{n); in particular, for n = 7, the number of functions potentially 
computable with 6 AND gates becomes 3® x 2^®+®^+’^+^ > 2® x 2^^® = 2^®"^. 

5. Breaking symmetry on topologies 

We now focus on improving the bound in Equation 0 by showing that some 
topologies compute the same functions. 

Definition 5. The set is the set of all possible topologies with k AND gates. 

Our goal is to remove elements from while preserving the set of all func¬ 
tions computable by a topology in that set. The first observation is that the 
actual order of the AND gates is irrelevant for the function computed by the 
actual circuit, so we can eliminate topologies that only differ on these labels. 

Definition 6. Two topologies T and T' are equivalent, denoted T = T', if there 
is a permutation tt of {1,... ,n} such that: {L, R) G T iff either (7r(L), 7r(i?)) G 
T' or (7r(i?), 7r(L)) G T', where tt is structurally extended to sets and pairs. 

It is easy to check that this relation is an equivalence relation. 

Lemma 3. Let T and T' be topologies, with T = T', and C be a circuit with 
topology T. Then there is a circuit C with topology T' such that fc = fc ■ 

Proof. Construct C' by renaming the AND gates in C according to tt. By com¬ 
mutativity and associativity of 0, together with commutativity of A, a straight¬ 
forward reasoning by induction establishes that f^' = f(L'''^ for 1 < f < fc, and 
therefore that fc = f^ = = fc- □ 

Consecutive AND gates in a topology can be grouped in disjoint layers, such 
that the gates in each layer only depend on the outputs of gates in previous 
layers. The algorithm in Figure computes the maximal layering of the gates 
- the one such that no layer can be extended forward. 


Algorithm Layering 

(input) 

topology T = {{Li, Ri) 1 < i < fc) 

(init) 

£ := 1, Si ~ 0 

(loop) 

for i = l..fc 


if St n {Li yjRi) = % 
then St := St U {oi} 
else i ■.= l-\- 1, St = {ui} 

(output) layering Si,..., St 


Figure 2 : Algorithm Layering to compute a maximal layering of a topology. 

The following definition captures the idea that gates should only be in a 
layer i if one of their inputs depends on a gate in the previous layer i — 1. 
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Definition 7 . A topology T = {{Li,Ri) \ i = is well-layered if its 

layering Si,, Sm is such that, for every i and k, ifai G Sk, then LiHSk-i ^ 0 - 

Example 3 . The topology from the circuit in Figure^has layers {01,02} and 
{03,04}, and thus it is well-layered, as both 03 and 04 use the output 0/02. 

The topology {o},03,Og,04} for the same circuit, where 0} = 02, o^ = 03, 
O3 = oi and 04 = 04, is not well-layered: its layers are {o}}, {03,03} and {o}}, 
and gate 03 does not use any gate in the previous layer. 

Lemma 4 (Layering). Every topology is equivalent to a well-layered topology. 

Proof. Let T = {{Li, Ri) \ i = 1 ,... ,k) and Si,..., Sm be its layering. Assume 
T is not well-layered, and let i be the smallest index such that o^ G Si and 

Li n Se-i = 0. 

If RiCiSi-i, then build T' by replacing {Li,Ri) with {Ri, Li) in T. Otherwise, 
let j = max{z \ Oz G Li'S Ri\, with max(0) = 0; let tt be the permutation 
inserting i between j and j -I- 1 (so 7r(j) = j -\-l, 7r(z) = z -I- 1 for } < z < i, and 
7 r(z) = z for all other z), and take T' = 7r(r), interchanging Li and Ri in oi if 
Oj G Ri. Observe that T' is still a valid topology. 

In either case, all indices up to i satisfy the layering condition. In the first 
case this is trivial; in the second case, note that j cannot occur in L_,+i ,..., Li or 
Rj+i, ..., Ri in T', so J -|-1, ..., i remain in the same layers as the corresponding 
j,... ,i — \ in the layering of T. 

Iterating this construction yields a well-layered topology equivalent to T. □ 

Corollary 2 . Let Tk he the set of well-layered topologies in T^. If f G is 
computable by a topology in , then it is computable by a topology in T^. 

Proof. Consequence of Lemmas and □ 

We now begin to eliminate redundant topologies from 7 }}. Our results make 
use of the following identity, valid for all Boolean values P and Q. 

PAQ = PA(P0Q0T) (3) 

Definition 8. A topology T is minimal if the following hold for all {L, R) G T. 

(i) (A) If L then L % R, and (B) If Rf^^, then R% L. 

(a) If L C\ R %, then {LC\ R) < L\R and {LC\ R) < R\L, where < is any 

(fixed) total ordering of p{{ai ,..., a^}). 

Lemma 5 . If f G Bn is computable by topology T, then it is computable by a 
well-layered and minimal topology T' with the same number of AND gates as T. 

Proof. Let C be a circuit computing / with topology T. Without loss of gener¬ 
ality we can assume T is well-layered. Assume also that T is not minimal. We 
show that we can transform C so that the three conditions are met; at each stage, 
the triple {vi,V2,V3) indicating the number of gates violating conditions (i-A), 
(i-B) and (ii), respectively, decreases w.r.t. lexicographic ordering. Since C is 
finite, iteration produces a circuit with minimal topology. 
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(i-A) Assume that gate a = (L, R) is such that L Q R, so that i? = L U R'. 
Then the function computed by this gate can be written as ((0 L) 0 A) A 
mL)®{®R')®B), and by (§ this is equivalent to ((0A) 0 A) A 
((0i?')0A0_B0T). Replacing a by {L,R!) yields a circuit that has one 
less violation of condition (i-A). 

(i-B) Assume that gate a = (L, R) is such that R C L, so that L = L' U R. 
The construction is analogous, using the equivalence between ((0T') 0 
(0R)0 A) A ((©i?)0R) and ((0 L') 0 A 0 R 0 T) A ((© i?) 0 R). 

In order to ensure that the resulting topology is well-layered, it might be 
necessary to interchange L' and R in the gate replacing a, as possibly only 
R intersects the previous layer. 

(ii) Assume that gate a = (L, R) is such that L n i? 7^ 0, so that L = X U L' 
and R = X U R' , with all of L' , R' and X not empty (otherwise condition 
(i) would not be met). Again by ^ we can write the function computed 
by this gate as one of 

((© ^) ® (© L') 0 A) A ((0 ^) ® (0 R') ® B) 
mx)®{®L')®A)^mL')®{®R!)®A®B®T) 
{{®L')®{®R')®A®B®T)^mx)®{®R')®B) 

and we can replace a by a gate whose inputs intersect on either A, L' 
or i?', which means we can always ensure it to be the lexicographically 
smallest of the three. 

Since either X or L' intersects the previous layer, it is also possible to 
guarantee layering, if necessary by permuting the inputs. Likewise, the 
resulting gate always satisfies condition (i). □ 

Definition 9 . The set Tk is the set of all well-layered and minimal topologies 
using k AND gates. 

Merging Lemmas and we obtain the following result. 

Theorem 2 . Every n-ary Boolean function computable by a circuit with k AND 
gates is computable by a topology in Tk ■ 

The iterative algorithm in Figure [^computes a set of minimal, well-layered 
topologies unique up to equivalence - in other words, representatives of the 
elements of 7fe/=. It generates these topologies layer by layer, pruning those 
equivalent to some other, in the spirit of [5]. In the last line of the (loop) in 
Extend, the notation T ■ a denotes the list obtained by appending gate a to T. 

Theorem 3 . IfTGTk, then T = T' for some T' G Generate{n). 

Proof. A topology with k gates has at most k layers, and Generate loops 
through all possible lengths of these layers. 
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Algorithm Generate 

(input) k 

(init) j ■- 1, Tk ■■= {((0,0) |l<*<-^)|l<^<fc} 
(loop) for j — 2..k 

for T e 

if T has k gates 

then Ti := U {T} 

else 7? := 77 U Extend(fc, T) 

(output) Tk 


Sub-algorithm Extend 

(input) k, topology T with less than k gates 

(init) Ext := 0, Out = ij, m := k — \T\, Si,..., Si := Layering(r) 

(loop) for i = l..m 

for L,R^pi{l,...,\T\}y 
iiVj{LjnSi y 0 
and Lj 2 Rj 

and (Rj 7 0) (Rj % Lj) 

and (Lj n Rj 7 0 )^ [(Lj n Rj) < mm(Lj \ Rj,Rj \ Lj)\) 
then Ext := Ext U {T ■ {{Lj, Rj) \ j — 1,..., i}} 

(prune) for T' £ Ext 

if T' ^ T" for all T" € Out 
then Out := Out U {T'} 

(output) Out 


Figure 3 : Iterative algorithm Generate to compute 7 j;/=. 


In Extend, we loop over all possible combinations of outputs from previous 
gates. The condition in the innermost loop excludes gates that lead to non-well- 
layered or non-minimal topologies. The pruning step guarantees that the first 
representative of each equivalence class of topologies is kept. 

Therefore every minimal and well-layered topology is equivalent to an ele¬ 
ment of Generate(fc). □ 

Table shows the sizes of the sets 7fe/ =, computed using two independent 
implementations of Algorithm Generate. 


k 

1 

2 

3 

4 

5 

6 

\Tk/ ^ 

1 

2 

8 

88 

3,564 

555,709 


Table 2 : Number of non-equivalent minimal well-layered topologies using k AND gates. 


Replacing the estimated number of topologies on k AND gates given in 
Equation 0 reduces the straightforward upper bound on the number of com¬ 
putable functions on 7 inputs with 6 AND gates from 2^^^ to 555,709 x > 











2^® X = 2^^®, which is still (just) larger than the number of 7-ary Boolean 
functions. However, combining this result with Theorem does produce a new 
result, presented in the next section. 

6 . The result 

Combining Theorems andwe immediately obtain the following result. 

Theorem 4. At most 3^ x 2®^"+"+''+^ x \Tk/ =\ functions from Bn can he 
computed by circuits with k AND gates. 

Theorem 5. There is a Boolean function on 7 inputs with a multiplicative 
complexity of 7 or higher. 

Proof. By Table[^ there are 555,709 possible topologies for circuits with 6 AND 
gates. Instantiating n = 7 and fc = 6 in Theorem and using this value, we 
conclude that the number of 7-ary Boolean functions computable by circuits 
with 6 gates is at most 555,709 x 3® x 2®® < 2®® x 2^® x 2®® = 2^®® = \B^\. 
Therefore, not all functions in B-j can be computable by these circuits. □ 

7. Conclusion and Future Work 

In this work we have shown that M{7) is at least 7, raising the previously 
known lower bound by 1. The case of 7 inputs has consequently become the 
smallest known case where M{n) > n — 1. 

In the future, we are planning to determine M(6), which we conjecture to 
be 5, by extensive computer experiments refining the approach of [3]. Also, 
we plan to find an actual Boolean function on 7 inputs with a multiplicative 
complexity of 7 or higher as a witness to our non-constructive proof. 
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